America has lost the world’s trust on personal data . . . so the UK can lead us into the future

While Silicon Valley might still be tech’s Mount Olympus, there is a vast, multibillion-dollar frontier ahead of us into which America cannot lead us. The United States has lost the moral authority to create the environment in which the value in our personal data can be unlocked by technological innovation and made to work in a way that balances the benefits to us with the needs of business.

The reason America can’t step up to that role has a name: Edward Snowden. The revelations of the CIA whistle-blower either make him a traitor or a hero depending on your point of view. What is beyond doubt is that the secrets he leaked have changed forever the atmosphere in which we work out who can do what with our personal information. And that means we need to look elsewhere for direction in navigating the many complex issues around personal data. In an interview with Internet of Me, Don Thibeau, Executive Director of the Open Identity Exchange, suggests that Britain could step up to the plate.

Don Thibeau, OIX Executive Director

“I don’t think change is going to come from the US for a variety of reasons,” he says. “One reason is that the rest of the world will not look to the US for leadership on these kinds of issues in a post-Snowden environment. The US as a brand, if you will, has really taken a big hit from a reputation point of view with the Snowden revelations.

“To me that leaves a leadership vacuum that perhaps the UK might fill as it did in other parts of our history in which Britain provides an alternative to a laissez faire approach to how data is monetized, and instead provides some rules of the road.”

Now, step on it!

Establishing those rules will be critical to how successfully and how quickly progress can be made, and this is the challenge now facing governments and businesses. What’s at stake is the personal data economy, potentially worth £16.5billion a year in the UK alone.

The Open Identity Exchange (OIX) is in the front line when it comes to meeting those challenges. It is a non-profit organisation that works across business sectors to develop trust and online identity solutions, and counts Google, Microsoft, PayPal, Experian and Equifax among its executive members. Its UK division is working with the British Government’s Cabinet Office on developing the GOV.UK Verify programme, a pioneering identity assurance process that aims to revolutionise access to online services. A sensible set of standards and regulations — those rues of the road — accelerate progress rather than hold it back, says Don.

“If you have rules of the road and you know what the speed limit is you can go fast. If there are no speed limits I am constantly looking out for the other guy because I have no trust in what he or she might do. So we need some rules of the road on these issues around data — how is the consumer to provide informed consent about the use and aggregation of data? Who is it that gets to aggregate this data and how do we trust them?”

What such rules lead to, says Don, is trust. And trust is the axis around which all other developments in data-driven technology innovation revolve. From the consumer perspective, this has a lot to do with what businesses and other organisations do with personal information. The driver for change here is a widespread behavioural shift in response to what the public sees as abuse of personal data. Ad tech practices such as tracking users’ web use and targeted online adverts have seen a huge, rapid rise in the use of ad blockers.

Businesses are increasingly aware of the possible damage this can cause to their brands and to the relationships they have with their customers and audiences. More and more are embracing the idea of a fundamental shift in control over personal data to the individual as a way to better engage consumers and develop innovative value propositions. But there is another, more direct, problem for businesses holding huge swathes of personal data, as Don explains.

“It is clear that more people are becoming more conscious of the value of the data they generate in work and social life so, yes, I think there might be change as result of that growing awareness. But another area where I think change may occur — and this is our focus for OIX — is looking at it from an organisational point of view.

“The old world notion was that a company would try to derive and aggregate as much data about its customers as possible and then hold all that data in the belief that it was valuable and that having it at the ready would increase their marketing efforts and so forth.

“The new way of thinking is that holding all that data behind a company’s firewall is a negative, not a positive, because you’re simply inviting a breach and once that happens the value of that data goes down and the value of your relationship with these very same customers could be compromised.”

Putting a premium on progress

And, of course, wherever there is liability there is insurance and Don sees that, too, as an impetus for finding better ways to handle personal data.

“I think one of the levers of change is insurance and I think we’re entering an era where insurance companies are seeing an opportunity to create a new product set called breach insurance. Most forward-thinking companies believe it’s not a case of if you’re going to be breached but when. Companies like Google actually measure the amount and quality of data that’s for sale on the black market so there are new metrics in place where companies can measure how long it takes before data from a particular breach will be available on the black market.

“One could then say if you as an organisation insist on holding all that data then we your insurance company are going to treat you differently to a company that has decided for whatever business reason not to amass and aggregate all that personally identifying information but rather to be a participant in a federated system where they can find the data they need, use it and then return it. So I think change is coming from both the individual point of view but also the organisational attitudes to aggregation of data.”

A fairer, more transparent way to handle personal data is certainly essential to building trust. Again, OIX brings an interesting perspective here.

“Trust is central to OIX,” says Don. “We define trust as the reliability and repeatability of experience. The more predictable someone’s behaviour is, the more you can trust them.”

Trust is in the post

He points to postal services as Government agencies that tend to be widely trusted. The reason for that is we see someone — often the same person — turn up at our home regularly, repeatedly delivering a dependable service. It is the reliability of that experience that underpins our trust in it. What this means, explains Don, is that trust is essentially established at that transactional level. Whether or not directly commercial, most of our online activity revolves around transactions of one kind or another.

“OIX members want a high volume and velocity of transactions because that’s what they’re in business to do,” he says. “Trusted transactions often occur working with people you don’t trust or who you compete with so you have to come up with frameworks or schemes that allow organisations that might be highly competitive or have highly disparate missions to be able to transact with each other. Trust is the engine of transactions.”

Don sees the Government’s Verify programme as a potential trailblazer, both for other identity assurance solutions and for collaborations between public and private sector, creating that necessary framework that will let everyone go faster — those all important rules of the road.

“Part of the role of OIX UK is the gathering point for a self-regulatory system, a set of rules of the road that comes about from a collaboration between public and private sector. This is why Verify is interesting to watch. The public sector Cabinet Office strategy is predicated on a commerce dynamic that is unprecedented. Can this notion of agency work? Can the British population trust a selection of ID providers sufficiently so they can transact online?

“[Former Cabinet Office Minister] Francis Maude said this has to happen because the Government can’t afford to do it any other way. The UK simply cannot afford the luxury of delivering services through call centres and drop-in centres. It’s not an economic model that can be sustained. So this is a fantastic experiment that we’re about to watch in real time as Verify goes live.”

Verify certainly embodies the central belief of the Internet of Me that personal data can create trust by delivering real benefit both to individuals and to the organisations using their information. The win-win situation.